 Hello. My name is Irina Vibautz-Bervar and I'm employed in Slovenian social science data archives. I'm also leading CESA Training Working Group. I'll be talking today about legal and ethical consideration for sharing research data, especially in the field of social science and discriminatives. The information in this presentation is based on our current interpretation of the legal system, so legislation in its implication for research and the archiving of research data. So please do seek professional legal advice when appropriate. As you know, this is very fluid area and thus changes are still possible, so national legislation is still being processed. Currently, it's accepted in 22 countries. Slovenia not being one of them due to the resign of the government in the spring of 2018. A brief note about organizations. So Slovenia social data archives also called ADP was established in 1997. It serves as Slovenia National Data Repository for Social Sciences. We have approximately 600 social services with data in our catalog and about 150 more with metadata and documentation only. ADP received the CORTRA CIL at the end of 2017 and we are members of CESDA. CESDA itself is a consortium of European Social Science Data Archives. As you can see here on the map, with dark blue, it's the members. We currently have 16 members and one observer which is Switzerland and we are working towards partners to join. Most of the contents for today's presentation was taken out of CESDA data management expert guide that was prepared in 2017 with several CESDA partners. Its content is pretty accessible at CESDA.eu slash dmguide webpage and is licensed by CESDA by SA license. So chapters that you can find in the expert guide on data management. We are covering planning where you can find more information on how to become aware of what data management plan is and why it's important. Also we are mentioning the FAIR principle. Then we are talking about organizing and documenting. So about designing and appropriate data file structure, naming, organizing your data, etc. Following is a chapter on process. When we are talking about data entry, coding, file formats and versioning, and then chapter on storing, where you plan storage and backup strategy and also need to think about protecting your data from unauthorized access. The chapter that we'll be talking more about today is a chapter on protection. So we'll be talking about legal and ethical obligations, but we also have a chapter on archiving and publishing when we are talking about data publication services and how to promote your data. Last chapter will be ready at the end of 2018 and it will be on discovery. So how to discover and reuse the existing data. So legal and ethical work done in research is much influenced by the new regulation and I'm sure that most of you are aware that general data protection regulation was implemented on the 25th of May in 2018 in all EU countries. It applies to personal data and data fluid persons. However, be careful about it because there might be some national specific regulations here as well. GDPR applies to any controller or processor in the EU who process personal data regardless of whether the processing takes place in the EU or not, and also outside the EU if they process personal data of EU citizens. As said, this regulation will be supplemented by national law. So let's see now what are the additional things in the GDPR and what are the applications for the research. When reading this, you see more continuity really than change but however, let's expose some things. GDPR has a limited flexibility but lives room for national supplementary provisions including derogations and this possibly applies especially to the field of research. And then we see individuals that get more rights. So for example, rights to data portability and also institutions will be held more responsible for the data they hold and process so we can talk about accountability. We see increased fines for breaching the GDPR in the misuse of personal data and then broader finish of scientific research, privacy by design and default, data protection, access, impact assessment, code of conduct for various sectors is encouraged and also new requirements for information to be provided to data subject, new requirements for consent and also brought consent to certain areas of scientific research is now possible. So let's see how GDPR defines the personal data now. So personal data is defined as information related to an identified or identifiable nature of person. So in this case data subject. Identifiable natural process is defined as one who can be identified directly or indirectly by reference to identifiers such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, journalic, mental, economic, cultural or scientific or social identity of that natural person. However, there are some specialist categories of personal data that are subject to additional protection and you can see from this picture that these are usually the data that we would collect in a normal social science survey. So special categories data falls under racial or ethical origin, then political options, religion or philosophical beliefs, trade union membership, data concerning health or sex life and sexual orientation and also generic data or biometric data. Then we have also additional definitions when we are talking about personal data, what we can do with it. So one thing is see the anonymization of data. So what is that? This means that we handle personal data in such a way that no individual can be identified from data without a key that allow the data to be re-identified. This also involves removing or obscuring direct and indirect identifiers and the key must be kept separately and secure. See the anonymization is explicitly encouraged as a security measure in the GDPR but be careful, see the anonymized data or encrypted data are still personal data. And to go one step further, on the other hand we are talking about anonymous data, so where information of which does not relate to identified or identified personal person. Again, on the other hand we are talking about anonymous data. So what is anonymous data? Information which does not relate to identifier or identifiable natural person or personal data rendering anonymous in such a manner that the data subject is not longer identifiable. An anonymization of the data should be irrevocable but should also be checked at regular intervals in the light of new technology. In practice it's very hard to anonymize data, especially when we are talking about qualitative research data like in-depth interviews. However, it's really important that we really try to do this, especially because GDPR does not apply to anonymous data. What are the principles that need to be complied with when processing personal data? Again, start of this page. So what are the principles that need to be complied with when processing personal data? In the GDPR we can find six principles in the article 5. So we are talking about personal data that must be processed lawfully, fairly and in transparent manner. In practice this means that the data subject is in form of what will be done with the data. And then next principle is collected. Data need to be collected for specific purposes and not processed further for incompatible purposes. We are talking about purpose limitation. However, there are exceptions for research and are having purposes in accordance with article 89. And the next principle, personal data must be adequate, relevant and limited to what is necessary. So data minimization do not try to collect what you don't need. And data must be accurate and when necessary up to date. They must be kept identifiable for no longer than necessary. And the storage limitation, again, there is exception for research and are having purposes in the line of article 89. Data also need to be processed with appropriate security, ensure data integrity and confidality. And for that, controller shall be able to demonstrate compliance. It's also said, so we are talking about accountability. What's the legal ground for processing? All processing of personal data requires legal basis. So most common, we see a lawfulness of processing defined in article 6, when we are talking about consent necessary for the performance of a test career out in the public interest and if the collection is necessary for limited, again. So what are the legal grounds for processing personal data? And most commonly, we see this in article 6, when we say the data can be collected when we have a consent, when this is necessary for the performance of test carried out in the public interest, when this is necessary for the legitimate interest pursued by the controller. But we also have special categories of data when this is able to be collected and so we need to have explicit consent or if personal data are manifestly made public by the data subject. We would recommend you to be a bit ethical about it, even though the data are public and still cannot really archive and distribute and analyze everything. And it's also important to say that data can be collected when this is necessary for archiving scientific or statistical purposes with the article 89 and based on union or member state law. But what rights do subject have? What is defined in GDPR? So for, in short, these are the rights to be informed, the rights of access, the right to ratification, the right to erasure, so the right to be forgotten, the right to strict processing, the right to data portability and the right to object and rights in relation to automated individual decision making and profiling. As mentioned previously, there are special provisions for archiving research purpose, so how we can use data there. In accordance with article 89, further processing is not considered to be incompatible with the initial purpose. Personal data may be stored for longer periods and there are also exemptions for the subject rights that we just mentioned before. So the subject cannot be forgotten, they don't have right to object, they don't have right to information. However, this is not something new. This is something that we encounter in many documents on research ethics, especially looking at the disciplinary code of ethics, let's say, American Stological Association. You might even have a national code of ethics that would define your work with personal data or data subject. We also have a European Code of Research Integrity where you can find mentioning of how you need to process when you're collecting the data. You might even have a university or institute defined code of ethics as we have a University of Ljubljana. And to go further, these kind of definitions might be defined so the codes of ethics might be defined by the funders as Horizon 2020 or other EC projects or grants that we see. And also, you can see this as a requirement for specific journals like that they would take, again, this webpage. But this is not something new. This is something that we already see in many research ethics documents. So, for example, you can read the disciplinary code of ethics of American Stological Association. There are many definitions in it and many guidance on how to work with personal data. And you might even have a national code of ethics from different associations. Then we also have European Code of Research Integrity where it's again defined what to do with research data. We in Slovenia have a university defined research integrity document and also institutional things that might influence your work. But it's also important to notice that funders might request some of these documents and would invite you to go through some questions. These kind of funders are Horizon 2020. We also see these in some other European projects and from project of European Commission and some grants. But we also see these requirements coming from the scientific journals and they might sometimes require ethical committee approval before publishing and you need to share these documents with them. So, when we're talking about ethics, ethics are integral part of research project from the exceptional stage of the research process to the end of research project itself. So, in short, these are some guidelines for ensuring compliance with ethical principles in Horizon 2020 and the main principles are to respect human dignity and integrity, to ensure honesty and transparency towards research subjects, to protect vulnerable persons, to ensure privacy and confidentiality, promote justice and inclusiveness, minimizing harm and maximizing benefits, sharing the benefits with disadvantaged population, maximizing animal welfare, respecting and protecting the environmental and future generations. And also one of the important things, we need to follow higher standards of research integrity. We need to avoid any kind of fabrication, falsification, plagiarism, et cetera in our research work. So, when we are talking about ethical review process, we are actually talking about somebody that would help you to think through all these ethical issues that you are surrounded when you're doing the research. The principles of good research practices encourage you to consider wider consequences of your research and engage with the interest in your participants. Ethics review by a research committee is typically required when sensitive personal data are being collected or where people are involved. You would have such ethical committees usually at the University of Faculty and especially in Slovenia, most of the PhD students that are collecting any kind of sensitive data need to have approval by the research committee. So, the role of the committee is to protect the safety, rights and well-being of research participants and to promote ethically sound research. So, when you are completing your ethics self-assessment for the Horizon 2020, what you need to consider? So, consider that ethics issues arise in many areas of research and there are some mentions. So, it might be that you say that, yes, for my research, this is not the case, but you need to think really good in this direction. And it's not that only that you need to protect your participants, so volunteers, you also need to protect yourself and your research colleagues. It is really good practice that you start thinking about ethics while designing your research protocols and as always, your first source should be at your institution. You might have a special department, special ethics department or any kind of data protection officers that are now defined by GDPR. So, in Horizon 2020, you also get some questions that you need to ask yourself when you are doing research that would, for instance, involve human participants. So, you can ask yourself, are there volunteers for social and human scientific research? If there are, you need to have documents as detail of recruitment, inclusion and exclusion criteria, informed consent procedures, et cetera. You need to be additionally careful when you are dealing with minors of children. You might need to have approval from the guardian or legal representative and you need to make sure to clarify why you need to actually address this group of respondents and why you cannot work with some other group. It's also good practice that you do a risk assessment, so you might do a potential misuse of research results. So, when talking about personal data, you need to ask yourself if you're collecting it. It doesn't involve the collection of processing of sensitive data. We mentioned before which are those. So, health, sexual life, ethnicity, political opinion, religion. So, again, these are most common things that you would have in social service. Does it involve processing of generic information? Does it involve tracking or observation of participants like surveillance or localization data, such as IP addresses, cookies, et cetera? Perhaps it would be a good idea to read all the documentation when you are using the applications for the online service. They might automatically collect some of this information, so you need to be sure what will happen to them. And then you need to ask yourself if your research involves further processing of previously collected personal data, so whether you will be merging pure data with some pre-existing data sets. It might be allowed in some countries. In some countries, this might be a problem. So, when you're collecting personal data, this is the information that should be provided, details of your procedures for data collection, storage, protection, retention, transfer, destruction of reuse, et cetera. You might need to collect methods of storage and exchange and then data structure and preservation. So, there's quite a good list of things that is suggested to actually save. And sometimes you wouldn't save it systematically, so it's really good that you go through these questions that are offered by different funders and follow them. It really helps to think about it. It's also important that you save details of your data safety procedures. And if you are doing any kind of data transfer to non-EU countries, it's also important that you save this kind of document. On the first stage, it's also important that you save copies of a notification for collecting personal data and consent form, as well as information sheet and other relevant documents. So, as we briefly touched the ethical part, it's really important that we respect the standard. And sometimes to respect the standard, we need to actually do a combination of things. So, from the archival point of view, we would actually advise that you do try to get a consent. You send information sheet. You do anonymize data and gain clarity over who owns the copyright to your data and especially you also need sometimes to control excess because anonymization is just not fully possible. About controlling excess, there's additional chapter in our DM guide, so I'll not go into deep in it, but we would strongly suggest to use common license like CC licenses. So, what is informed consent is the process by which a researcher disclose appropriate information about the research so that a participant may make a voluntary informed choice to accept or refuse to cooperate. And more about the consent we can find in Article IV and Article VII of GDPR. And by definition in GDPR we say that consent is any freely given, specific, informed and unambitious indication from a person that confirms that his or her personal data might be processed. When we are talking freely given, as Virginia in choice, be able to refuse, withdraw, withdraw without consequences and not be in independent relationship so you cannot really ask a person to give a consent when they need to buy something. It needs to be specific, so have a clear information, several lines of what needs to be addressed. It needs to be informed so content and form requirements should be easily understood, easily accessible, clear, simple language, especially when the information is given to children or any other special groups. It needs to be active so opt-in or silence of pre-tick boxes and inactivity are just not valid. They need to be defined. When we are talking about informed consent you have more information that you can find on UKDS webpage. It's important as we said that there's a green popularity of this defined. So researchers should inform participants about the purpose of research. They need to discuss what will happen to their contribution including the future archiving and sharing of their data. They need to indicate the steps that will be taken to safeguard their anonymity and confidence, confidentiality and they need to outline the right to withdraw from the research and how to do this. So additional to that it's also important that information sheets is either sent in advance or given to respondents when the interview takes place. So general information that needs to be added in this information sheet are the purpose of the research, type of research intervention, so whether you have a question that the person need to fill in whether it will be a personal interview and then expose voluntary nature of participation, benefits and risk of participating and then procedures for withdrawing from the study and then how the usage of data during research and then dissemination and storage will be done including the benefits, whether there are any and how you plan to do future publishing, archiving and reuse of data explaining to participants the benefits of data sharing and indicating whether your search data will be deposited in a data repository you might even name it and do not forget to add contact details of the research the researcher with institutional funding source and how to file a complaint if this is needed. But when you're collecting a personal data it's suggested to put a bit more information on the information sheet so things like how personal information will be processed and stored and for how long you need to sign consent form name or email addresses in online survey, people's visual and video recording, so if you're doing that it's good to have a bit more information on the information sheet and then about procedures for maintaining confidentiality of information about the participant and information that the participants share and then procedure for ensuring ethical use of data procedure for safeguarding personal information maintaining confidentiality in identification so at the end I would like to also show an example that was produced by SADIS projects so the information that you would have in the consent or information sheet would be like your privacy a safe storage and further use of data so we would use wording as we will treat all the information about you with strict confidentiality and in accordance with the EU general data protection regulation and national data protection laws your name and contact information will be replaced by a code only the national team that collects data will have access to the code list when the survey is finished the national team will send the data without your name or details to the archive so in this case it was the Norwegian center for research data and doing that your name and contact information will be deleted at a specific time and anonymous data will be stored securely for identified periods they are made available for use in scientific studies by researchers, students and other interested in European social communities additionally we would say that there is a slight possibility that some background information such as citizenship, age, country of birth, occupation, ancestry and region and if needed we would expand it may identify you in such cases access will only be given to researchers after approval applications and confidentiality agreements are in place the results will be published on our website at a specific date and year and will make every effort to ensure that not participants will be recognized in any publications based on the study so saying that it's really important to all summation ethical arguments for archiving this kind of data so we don't want to do, to be a burden to research so we don't want to do over researched groups especially when we're talking about vulnerable groups or hard to obtain groups like elites and social excluded and archiving the data and making it public we also extend the voice of participants and especially we provide greater transparency greater research transparency so to conclude GDPR as we see it now is research friendly and safeguards the interests and the needs of scientific research institutions the legal basis for processing data for research purpose are largely in place but the possibility for member states to include conditions for certain types of data might pose a challenge especially when you want to exchange data across borders then increased risk of identification creates a need for greater transparency to retain public trust new requirements for information to be provided new requirements for consent especially so must be able to you need to be able to document that consent has been given and it needs to be as easy to give it as to withdraw thank you for listening bye